Secure way to autosign CSRs by PuppetMaster in AWS environment with multiple accounts

I am trying to find a very secure way to autosign CSRs . I think of couple of ways to do it but the way that I guess will work for us is :

embed a Pre-Shared password in our AWS AMIs and Puppet Master and based on that we create a TOTP on agent and put it in CSR and when agent send CSR the Puppet Master which has the same Pre-Shared password can confirm TOTP and sign the certificate.

since our instances are in multiple accounts there is no way we can check things like instance_id to sign the certs.
if you have any idea please share with me.

I also found this solution but I don't know how I can implement it in AWS environment